Eastern European Hackers Allegedly Stole $3 Million From Subway Customers

Credit and debit card information from more than 80,000 customers were allegedly stolen in a multi-year $3 million scam targeting Subway franchises.

A band of Eastern European crooks somehow managed to hack into the POS systems at more than 150 of the ubiquitous sandwich chain in a scheme dating back to 2008, according to technology website Ars Technica.

All the thieves had to do was sneak into the systems by cracking the businesses' passwords to desktop software.

Once they made their way in through the systems' backdoor, they planted scores of trojan horses and malware in the systems, which gleaned credit card information from customers every time they swiped their cards for a sub. The viruses also kept the businesses' software from updating its security settings.

One would think that a national chain like Subway would implement some decent IT security - and it does. The PCI Security Standards Council requires POS systems to have a two-factor authentication system, but in this case, it appears the franchise managers' simply chose to cut corners.

"They had the tools, and could have easily blocked [the attack]," IT expert Konrad Fellman told the site. "These people weren't thinking about point of sale security—they were just thinking about making a sandwich."